If this is your first visit, be sure to
check out the FAQ by clicking the
link above. You may have to register
before you can post: click the register link above to proceed. To start viewing messages,
select the forum that you want to visit from the selection below.

While not the cause of your problem (see prior reply), your script is wide open to SQL injection attacks/errors. See mysql_real_escape_string() for an immediate solution, though a more robust solution would be to move from the now-deprecated mysql extension to either mysqli or pdo extensions, and make use of prepared statements and bound input parameters.

Basically, it's a situation where user inputs contain text that can change what your database query actually does. Let's suppose you have a query that uses one input parameter:

PHP Code:

$query = "SELECT * FROM some_table WHERE foo = '$input'";

Now, let's suppose a nasty user inputs the value:

Code:

x' OR 1 IN (UPDATE users SET user_type='ADMIN' WHERE 1=1 RETURNING user_id) --

Now your PHP code would turn every user in the database into an admin-level user (assuming the attacker knows or has correctly guessed your database scheme), as the value of $query would now be:

Code:

SELECT * FROM some_table WHERE foo = 'x' OR 1 IN (UPDATE users SET user_type='ADMIN' WHERE 1=1 RETURNING user_id) --'

This can be prevented by using an appropriate escaping function on any inputs being used in a query, in your current situation being the mysql_real_escape_string() function (which uses a back-slash as its escaping character, much as PHP does when you use it to escape quotes within a quoted string), and you can also use type-casting to make sure numeric values are, in fact, numeric. DB extensions that provide for the use of prepared statements and bound parameters provide a means to let the database interface itself to handle the escaping itself.

thanks mate, just a quick question i was reading my php book to see if it alliterated a bit on securing the queries and found that they recommend using htmlentities(). is this just as good to use or equivalent? and am i right in thinking that i use it like this
$my_variable = htmlentities('select * from some_table')

I don't use it much. And one would definitely not use it the way you think.

Securing query statements is more about checking the input values that you are going to use in a query. Doing escapes on them, checking that they are of the type that you expect, things like that. Also the use of prepared statements is the very much preferred method of doing queries which alleviates a lot of the security worries.

htmlentities() is for output to an [x]html document. The best and safest way to protect your database is with the functions/methods specifically designed for that. Besides, in most cases, you do not want HTML character entities in your database.

"Please give us a simple answer, so that we don't have to think, because if we think, we might find answers that don't fit the way we want the world to be."
~ Terry Pratchett in Nation